Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Tuesday June 16 2015, @12:23AM   Printer-friendly
from the hunter2 dept.

LastPass, a password management service has informed its customers that its network was successfully targeted by hackers.

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

SecurityWeek reports:

Rapid7 Security Engineering Manager Tod Beardsley said that he was pleased to see that LastPass disclosed the breach in a weekend's time. He added however that the attackers apparently have all they need to start brute-forcing master passwords.

"The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links," said Beardsley. "So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action."

Additional reporting at The Register notes:

Some LastPass users weren't pleased with how they found out about the breach, either. In comments posted to the company's website on Monday, many expressed dismay that they learned of the incident via online reports on LifeHacker, Reddit, Twitter, and elsewhere, rather than via direct email from LastPass.

"What the hell guys?" one user who identified himself as "Ian" wrote. "I'm not annoyed that you got breached, I'm annoyed that as a paying customer, I found out about it via facebook."

Others complained of problems when trying to change their master passwords, or being locked out of their accounts after making the change.

Also, IT World reported:

The master password change is especially important for users with weak passwords, such as single dictionary words, who will be most at risk of having their passwords cracked. People who use their master password for other accounts should change the password for those other sites as well.

It’s not the first time that LastPass has been hacked. In 2011, the company also suffered a breach, though this attack is different because LastPass knew right away what was taken and has fortified the way it stores passwords in order to better protect against attackers cracking them.


Original Submission 1 Original Submission 2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Absolutely.Geek on Tuesday June 16 2015, @02:20AM

    by Absolutely.Geek (5328) on Tuesday June 16 2015, @02:20AM (#196707)

    My master password was a 46 character phrase; my new one is 52 characters.

    If they manage to crack the password (unlikely) and access my account all they will get is the convience logins. My bank account is still only in my head.

    --
    Don't trust the police or the government - Shihad: My mind's sedate.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 5, Funny) by aristarchus on Tuesday June 16 2015, @02:43AM

    by aristarchus (2645) on Tuesday June 16 2015, @02:43AM (#196714) Journal

    My bank account is still only in my head.

    Hey, so is mine! Sometimes I wish it were in an actual bank, but at least they will never be able to crack the password!

  • (Score: 0) by Anonymous Coward on Tuesday June 16 2015, @03:58AM

    by Anonymous Coward on Tuesday June 16 2015, @03:58AM (#196729)

    My bank account [login] is still only in my head.

    Can you say the same for every person working at your bank? Do you have a spouse; what about them? Can you be certain everyone that could have touched your systems at any point are trustworthy? What about the people that are close to bank employees and what they know or could know? What about the contractors hired by your bank? And there is reused or patterned, master or not, passwords of other people that have tangential access too. FDIC does not cover these scenarios, nor are bank bonds always present. And that assumes everyone plays nice and there is actual legal proof of theft beyond "Hey I did not make this transfer that is on my statement!" It certainly is not in a bondsman's best interests to pay up until they absolutely have to.

  • (Score: 4, Interesting) by mojo chan on Tuesday June 16 2015, @07:40AM

    by mojo chan (266) on Tuesday June 16 2015, @07:40AM (#196773)

    My master password was a 46 character phrase; my new one is 52 characters.

    Simply having a long password may not be very secure. If it is a phrase then most of the crackers these days will have a fair chance of guessing it. They include phrases, things typed in other languages with the keyboard in the wrong input mode, common substitutions etc. Unless it was a string of 52 random characters, which would be very hard to remember, it's actually difficult to know just how secure a long password is these days.

    http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ [arstechnica.com]

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    • (Score: 0) by Anonymous Coward on Tuesday June 16 2015, @12:37PM

      by Anonymous Coward on Tuesday June 16 2015, @12:37PM (#196828)

      It's not hard to remember if you keep it on a post-it next to the computer!

      I jest, but I would argue that is prudent security as they would have to be in your house to access it. Only real alternative to having the thing written down somewhere would be to hash a simpler phrase and use that hash, which is less secure. We are humans, and we have our limits.

      • (Score: 0) by Anonymous Coward on Tuesday June 16 2015, @02:30PM

        by Anonymous Coward on Tuesday June 16 2015, @02:30PM (#196865)

        Post-Its are multi-factor auth:
        - Something you know: your username & where to find the post-it
        - Something you have: the post-it
        - Something you are: held at gunpoint when they burgle you

    • (Score: 2) by Beryllium Sphere (r) on Tuesday June 16 2015, @04:59PM

      by Beryllium Sphere (r) (5062) on Tuesday June 16 2015, @04:59PM (#196933)

      Entropy from a non-computer source, 12.9 bits per word, memorizable by making up stories or mental images to fit the passphrase.